This post shows you how to get that working for Android. Also it skips
the stunnel hop since it doesn’t add value and only makes Squid not
know your real address. I’m here also using username and password to
authenticate to the proxy instead of client certificates, to make it
easier to set up.

Hopefully this feature will be added to Chrome for Android soon (bug
here)

First, why you would want to do this

You have machines behind NAT

… and a proxy that can see the inside while still accessible form the outside

This way you can port forward one port from the NAT box to the proxy,
and not have to use different ports everywhere. I’ll call this proxy
corp-proxy.example.com.

You have servers that don’t implement their own authentication

… and you want the proxy to do it for you

If you set up so that the only way to connect to the servers is via
the proxy, then all access will be encrypted and
password-protected. You won’t get a green lock in your browser address
bar since it’s only protected between browser and proxy, not all the
way to the web server. This also applies to corp-proxy.example.com.

To encrypt traffic crossing country borders

For all traffic going to Sweden, you want to securely connect to a proxy in Sweden,
so that even traffic to unencrypted websites is encrypted when it’s going across borders.
I’ll call this sweden-proxy.example.com.

How to do it

1. Get a real SSL certificate for your proxy

LetsEncrypt and StartSSL.com have free
certificates. Put the .crt and .key files in /etc/squid3/. This
blog post does not discuss the big topic that is the security of CAs
and SSL.

2. Build and install Squid from source

For licensing reasons, the Squid package on Debian is build without
SSL. So let’s make a .deb and install it.